Searching for faster development loops, consistency and security, most people automate their development processes from `git commit` to `kubectl apply`. From Jenkins pipelines to Github Actions jobs, this automation varies hugely. While each implementation's speed and consistency can certainly be debated, what about security?

While Github Actions pipelines can be argued more secure than ancient Jenkins scripts, all supply chains share similar risk of actors and processes breaking the expected consistency and injecting code that could wreak havoc at runtime. Given this could happen from `git commit` all the way up to `kubectl apply`, understanding what happened in the middle is crucial.

In-toto pioneer frameworks and tools so businesses and projects can secure the way in which software is developed, built, tested and packaged. This includes two in-toto subprojects, Witness and Archivista, that make it easy to verify artifact integrity no matter the supply chain and no matter the runtime.

In this talk, we will demonstrate an end-to-end flow for securely developing container images to run on Kubernetes using these tools with Open Policy Agent’s admission controller, Gatekeeper.